How to Solve event worning?

I have worning EventID 7062 in the event viewer which is the following:

The DNS server encountered a packet addressed to itself on IP address 192.168.10.2. The packet is for the DNS name "usb.mtmyza.net.". The packet will be discarded. This condition usually indicates a configuration error.

Check the following areas for possible self-send configuration errors:
1) Forwarders list. (DNS servers should not forward to themselves).
2) Master lists of secondary zones.
3) Notify lists of primary zones.
4) Delegations of subzones. Must not contain NS record for this DNS server unless subzone is also on this server.
5) Root hints.

Example of self-delegation:
-> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com.
-> The example.microsoft.com zone contains a delegation of bar.example.microsoft.com to dns1.example.microsoft.com,
(bar.example.microsoft.com NS dns1.example.microsoft.com)
-> BUT the bar.example.microsoft.com zone is NOT on this server.

Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result. If found, the subzone DNS server admin should remove the offending NS record.

You can use the DNS server debug logging facility to track down the cause of this problem.

Can you check what is configured as the DNS server on the IP address settings..?
It should not be the IP address of your DNS server but the 127.0.0.1 (loopback), This event can often suggest this problem..

0

aldahanAuthor Commented: 2008-11-16

it was the IP of the Server and I changed it now. But still I have the same event after the change.

Expand DNS-zone and look for the subdomain with a grayed zone icon.
Delete the delegation by pressing delete key and answer yes on the confirm question.

0

aldahanAuthor Commented: 2008-11-28

I have deleted the subdomain in the DNS zone and restarted the DNS service but still I have the following event:

The DNS server encountered a packet addressed to itself on IP address 192.168.10.2. The packet is for the DNS name "domain.aldahan.". The packet will be discarded. This condition usually indicates a configuration error.

Check the following areas for possible self-send configuration errors:
1) Forwarders list. (DNS servers should not forward to themselves).
2) Master lists of secondary zones.
3) Notify lists of primary zones.
4) Delegations of subzones. Must not contain NS record for this DNS server unless subzone is also on this server.
5) Root hints.

Example of self-delegation:
-> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com.
-> The example.microsoft.com zone contains a delegation of bar.example.microsoft.com to dns1.example.microsoft.com,
(bar.example.microsoft.com NS dns1.example.microsoft.com)
-> BUT the bar.example.microsoft.com zone is NOT on this server.

Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result. If found, the subzone DNS server admin should remove the offending NS record.

You can use the DNS server debug logging facility to track down the cause of this problem.

Looking on the DNS-screenshot makes me wonder if there's another DC named domain?

(same as parent) NS domain.aldahanco.com
(same as parent) NS win2008.aldahanco.com
(same as parent) A 192.168.10.8
(same as parent) A 192.168.10.2

Configure DNS-server to be running on both DCs and that each DC uses the other server as its secondary DNS.

The timestamp in screenshot looks strange. How is aging/scavenging configured for the zone/server?
If domain is an old server that isn't available and aging is set to high value, you'll get orphan SRV-records that will not be scavenged.

Can you check if you have any errors in output from dcdiag or netdiag commands and post them?

0

aldahanAuthor Commented: 2008-11-29

the domain.aldahanco.com (192.168.10.8) is an old DC and it is removed from the network. so the domain has one DC which is win2008. the time stamp is not a gregorian calendar thats why it seems to be very old but the oldest stamp is before 10 months.
the netdiag returns an error that it is not recognized command.dns.JPG

The orphan data in DNS nead to be deleted, either doing it manual by going through _msdcs, _tcp etc structures and press delete for each old SRV-record or right-click on server and choose 'Scavenge Stale Resource Records'.
Aging is configured either on DNS zone properties->aging or server->right-click -> 'Set aging/scavenging for all zones'
Configure automatic Scavenging through server properties->advanced

I forgot that netdiag doesn't exist in 2008, sorry for the conusion. Use dcdiag/fix to see if it solves the error.

0

aldahanAuthor Commented: 2008-11-29

I have set all the periods for Scavenging to 7 days as deffault. and i have run the dcdiag/fix. After i restarted the DNS service then when I click active directory users and computers, it take around 10 minuts to open the console also I found that the following worning:

Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller.

Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory Domain Services forest, including logon authentication or access to network resources.

You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS.

NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:

1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.

3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns

dcdiag /test:dns

4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:

It tries to reach the DC 'domain' that doesn't exist. All references in _msdcs, _tcp, _udp, _sites to that old server nead to be cleaned up.
As you're having ForestDnsZones and DomainDnsZones, it sounds like you're having AD-integrated zones. This gives better security when you can configure security on the records and have the secure only dynamic registrations. You also get better replication when DNS data replicates with AD.
A negative effect of having AD-integrated DNS-zones is that you can get a catch22 scenario when AD relies on DNS and DNS at the same time relies on AD if not having secondary DNS. Install a second DC to get redundancy of AD and also configure it as secondary DNS (cross reference both DCs to use the other as secondary and itself as primary) to get redundancy for DNS.

Is all FSMO roles transfered to win2008 and not having any FSMO-role pointing on the old server? Use ADUC and right-click on domain name-> 'Operation masters' to check the 3 domain FSMOs and do the same thing in ADDT (right-click on top node) for the 2 forest roles. If FSMOs are still on 'domain', you nead to seize them over to the win2008 by using ntdsutil.

0

aldahanAuthor Commented: 2008-11-29

I had an old server which is domain and I transfer it to a new server win2008. then I have transfered all the FSMO then I have removed the searver domain from the network. so I think that i have to clean up all references in _msdcs, _tcp, _udp, _sites to that old server. if so how can i do it?

0

aldahanAuthor Commented: 2008-11-29

I have deleted all the refrences except in _msdcs where it cannot be deleted.

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

now I have 2 worning in the Active Directory and 1 error. Also one worning in the DNS.

the AD Error:

Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.

NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1:

1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.

3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns

dcdiag /test:dns

4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:

The Connection object for this directory service will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this directory service resumes, the temporary connection will be removed.

Additional Data
Error value:
1256 The remote system is not available. For information about network troubleshooting, see Windows Help.

AD worning2:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.

You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.

DNS worning:
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

The reason for the error is that with "delete selected server ... on ...", you nead to enter the DN (LDAP-path) of the server that you want to delete.
Copied from error in earlier post, it should be
"CN=DOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aldahanco,DC=com"

If unsure about the DN, use the following in ntdsutil:
metadata cleanup
select operating targets
connections
connect to server win2008
quit
list sites
select site 0
list servers in site
select server <number of server to delete>
quit
remove selected server

it works. I have restarted the server and now there is one wornning only in the active directory that seems not related to the quistion which is the following:

The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.

You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.

0

aldahanAuthor Commented: 2008-11-30

I recognize now that the active directory users and computers console is taking long time to open arround 10 minutes.

0

aldahanAuthor Commented: 2008-12-01

Thank alot for the help.

0

Featured Post

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.